LI Kang-jie,QIAN Zhen-jiang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.03.044

2013-01-01

Computer Science

Abstract:It is difficult to describe the correctness and security of the operate system(OS) by quantitative analysis.Formal method is the acknowledged standard one in design and verification for OS.Based on the operate system object semantics model(OSOSM),we designed and verified the interruption mechanism of microkernel architecture using formal method,which was realized on our self-implemented verified trusted operate system(VTOS).Meanwhile,we used the theorem prover Isabelle/HOL to formally describe the design process,and verify the integrality of the interruption mechanism of VTOS.Our research plays certain referential significance on formal design and verification of OS.

于淑英,黄皓,刘国斌

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.064

2009-01-01

Computer Science

Abstract:To avoid the security mechanism applied in operating systems being bypassed or tampered,this paper proposed the use of micro-kernel,multiserver architecture to assure the integrity of security kernel.Process isolation and message passing provided by the micro-kernel make the processes above isolated and protect the integrity of them effectively.Simplicity and modularity,the most obvious advantages of micro-kernel,laid an excellent base for the future formal verification.The prototype operating system,Nutos,was presented as an example on how to use these mechanisms to enforce security.It combined the multiserver architecture and the Flask security infrastructure to provide for flexibi-lity in security policies and integrity assurance for security sever and reference monitor.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Zhenjiang Qian,Hao Huang,Fangmin Song

DOI: https://doi.org/10.1007/978-3-319-02726-5_2

2013-01-01

Abstract:The correctness of the operating systems is difficult to be described with the quantitative methods, because of the complexity. Using the rigorous formal methods to verify the correctness of the operating systems is a recognized method. The existing projects of formal design and verification focus on the validation of code level. In this paper, we present a \"light-weight\" formal method of design and verification for OS. We propose an OS state automaton model (OSSA) as a link between the system design and verification, and describe the correctness specifications of the system based on this model. We implement the trusted operating system (verified trusted operating system, VTOS) as a prototype, to illustrate the method of consistency verification of system design and safety requirements with formalized theorem prover Isabelle/HOL. The result shows that this approach is feasible.

Hong Ying Tang,Zhen Jiang Qian,Hao Huang

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.837

2013-01-01

Advanced Materials Research

Abstract:As the manager of the data stored in the disk, the security of the file system is an important aspect of the operating system. Given the high logicalness and unambiguousness of the formal methods, also the module independence of the micro-kernel, this paper abstracts a formal model from the file system implementation based on micro-kernel, and then gives the axiomatic semantics of the initialization; finally, gives the correctness assertions of file system initialization, then verify the correctness of the formal model of file system aided with Isabelle/HOL.

Liu Wei,Li Xun,Huang Wei,Huang Hao,Zhixian Chen

DOI: https://doi.org/10.1109/CSSS.2011.5973957

2011-01-01

Abstract:Kernel-level attacks can compromise the security of an operating system by tampering with key data and control flow in the kernel. Current approaches defend against these attacks by applying data integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper tries our best to find out all resorts that violate the kernel integrity of operating system by analyzing what objects an action of the kernel relies on and affects. Then we examine all these objects to avoid them from being tamped with and also monitor whether the effect of an action of the kernel is the same as the semantics specified by the original design. Our operating system integrity surveillance system (OSISS) is implemented in a virtual machine monitor (VMM) and it can detect abnormity of an action by monitoring the data integrity and control flow integrity with acceptable performance loss. © 2011 IEEE.

QIAN Zhen-jiang,LIU Wei,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.11.072

2012-01-01

Abstract:This paper introduces the concepts of formal design and verification for the Operating System(OS),and elaborates the framework and foundational methods of formal design and verification.It compares and analyzes the monolithic kernel and micro kernel architectures of the OS.Meanwhile,it investigates multiple design and verification projects in depth,focusing on the verification objectives,the methodology,the advantages and limitations,and the progression.It summarizes the state of the art,analyzes and outlooks the trends of the formal design and verification for the OS.What is more,from the aspects of model design,verification tools,code implementation and verification reuse,it advances the ideas of formal design and verification.

Zhenjiang Qian,Hao Huang,Fangmin Song

DOI: https://doi.org/10.13232/j.cnki.jnju.2017.03.022

2017-01-01

Abstract:The formal method is a reliable one to ensure the correctness of design and implementation of operating system.The formal design and verification of operating system is still an extremely complex progress.Because of its low-level,it is difficult to validate the correctness of the assembly layer.How to effectively model for assembly codes,and easily validate the correctness of the semantics and effectiveness becomes a hot topic in the field of operating system formalization.In this paper,we present the method of formal verification of design and implementation of operating system on the assembly layer.We construct the kernel hardware abstract model of operating system,and describe the operational semantics of instructions.Based on this abstract model,we define the data objects affecting the system state,and establish the system state domain.With the description of operational semantics of instructions,we describe the transition functions of system states.Meanwhile,we define the constructed kernel hardware abstract model of operating system in Isabelle/HOL theorem prover,and take the self-implemented trusted operating system(VSOS)as the example to validate the correctness of the design and implementation of system on the assembly layer.The result shows that the proposed method is feasible and efficient.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

QIAN Zhen-jiang,LU Liang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.04.030

2013-01-01

Computer Science

Abstract:Microkernel architecture has become a hot topic in the research area of operating systems because of its effective isolation for modules.The multi-thread mechanism is a critical issue for the performance of the microkernel architecture.Many works research into the multi-thread of microkernel operating systems,but there are some problems such as frequent switching of system address space and high degree of implementation complexity.We used formal methods to describe and design the multi-thread and security mechanism,and proposed a hierarchical object semantics model.With the object semantics model,we formally designed the mechanism of inter-thread communication,thread scheduling,mutual exclusion and synchronization.Meanwhile,we used our self-implemented and verified microkernel operating system-VTOS as an example to test,and the results show that VTOS achieves multi-thread effectively and has a good system performance.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Yinggang Guo,Zicheng Wang,Bingnan Zhong,Qingkai Zeng

DOI: https://doi.org/10.1145/3564625.3567984

2022-01-01

Abstract:Privileged system software such as mainstream operating system kernels and hypervisors have an ongoing stream of vulnerabilities. Even the inflated secure world in Trusted Execution Environment (TEE) is no longer secure in complex real-world scenarios. Since higher privilege levels cannot always be stacked to provide protection, intra-level privilege separation has become a powerful way to build trustworthy systems. However, existing intra-level privilege separation systems lack sound security analysis and cannot give formal guarantees. In this paper, we introduce a general and extensible formal framework based on a privilege-centric model (PCM) and define the security properties that should be satisfied by intra-level privilege separation. We then instantiate two models using the B-method: Nested Kernel and Hilps, which utilize x86 WP and AArch64 TxSZ mechanisms, respectively. Their security is verified by model checking in ProB. The machine-checked analysis shows that our approach can not only effectively detect design errors and attacks, but also guide future system design.

Qian Ke,Chunlu Wang,Haixia Wang,Yongqiang Lyu,Zihan Xu,Dongsheng Wang

DOI: https://doi.org/10.1109/dsc55868.2022.00015

2022-01-01

Abstract:A new class of transient execution-based attacks, as known as Microarchitectural Data Sampling (MDS), were discovered in recent studies, such as RIDL, Fallout, and ZombieLoad, which have imposed severe threats to general-purpose processors. In MDS attacks, the attacker can steal the information from privileged CPU internal buffers, such as store buffers, line fill buffers, and load ports. To prevent these buffers from leaking information, processor vendors proposed mitigation via microcode update that overwrites CPU internal buffers as soon as the privilege levels are changed. However, the problem if a given architecture is safe against MDS attacks is still to be fully solved.In this study, we propose a formal verification method based on model checking to verify the microarchitectural security against MDS attacks. We formulate the MDS attacks as operation sequences, and set up a behavior model to describe the microarchitectural design correlated MDS attacks. A operation sequence is considered as an MDS attack if the operation sequence can obtain transient illegal data leaked from internal buffers during the operations. We enumerate all the possible sequences by binary decision diagram (BDD)-based statechart traversal, and output all the counterexamples. The experimental results show that the proposed method can sufficiently check the MDS attacks, and a kind of attack is detected to be able to bypass the mitigation proposed by Intel, which was contemporarily proposed as CacheOut attack.

Petr N. Devyanin,Alexey V. Khoroshilov,Victor V. Kuliamin,Alexander K. Petrenko,Ilya V. Shchepetkov

DOI: https://doi.org/10.1007/978-3-662-43652-3_30

2014-01-01

Abstract:The paper presents a work-in-progress on formal verification of operating system security model, which integrates control of confidentiality and integrity levels with role-based access control. The main goal is to formalize completely the security model and to prove its consistency and conformance to basic correctness requirements concerning keeping levels of integrity and confidentiality. Additional goal is to perform data flow analysis of the model to check whether it can preserve security in the face of certain attacks. Alloy and Event-B were used for formalization and verification of the model. Alloy was applied to provide quick constraint-based checking and uncover various issues concerning inconsistency or incompleteness of the model. Event-B was applied for full-scale deductive verification. Both tools worked well on first steps of model development, while after certain complexity was reached Alloy began to demonstrate some scalability issues.

Yanyan Shen,Kevin Elphinstone

DOI: https://doi.org/10.1109/EDCC.2015.16

2015-01-01

Abstract:Trustworthy isolation is required to consolidate safety and security critical software systems on a single hardware platform. Recent advances in formally verifying correctness and isolation properties of a microkernel should enable mutually distrusting software to co-exist on the same platform with a high level of assurance of correct operation. However, commodity hardware is susceptible to transient faults triggered by cosmic rays, and alpha particle strikes, and thus may invalidate the isolation guarantees, or trigger failure in isolated applications. To increase trustworthiness of commodity hardware, we apply redundant execution techniques from the dependability community to a modern microkernel. We leverage the hardware redundancy provided by multicore processors to perform transient fault detection for applications and for the microkernel itself. This paper presents the mechanisms and framework for microkernel based systems to implement redundant execution for improved trustworthiness. It evaluates the performance of the resulting system on x86-64 and ARM platforms.

Hamed Nemati

DOI: https://doi.org/10.48550/arXiv.2005.02605

2020-05-06

Abstract:Over the last years, security kernels have played a promising role in reshaping the landscape of platform security on today's ubiquitous embedded devices. Security kernels, such as separation kernels, enable constructing high-assurance mixed-criticality execution platforms. They reduce the software portion of the system's trusted computing base to a thin layer, which enforces isolation between low- and high-criticality components. The reduced trusted computing base minimizes the system attack surface and facilitates the use of formal methods to ensure functional correctness and security of the kernel. In this thesis, we explore various aspects of building a provably secure separation kernel using virtualization technology. In particular, we examine techniques related to the appropriate management of the memory subsystem. Once these techniques were implemented and functionally verified, they provide reliable a foundation for application scenarios that require strong guarantees of isolation and facilitate formal reasoning about the system's overall security.

Cryptography and Security

Yuehua Dai,Yi Shi,Yong Qi,Jianbao Ren,Peijian Wang

DOI: https://doi.org/10.1007/s11704-012-2084-0

2013-01-01

Abstract:Virtual machine monitors (VMMs) play a central role in cloud computing. Their reliability and availability are critical for cloud computing. Virtualization and device emulation make the VMM code base large and the interface between OS and VMM complex. This results in a code base that is very hard to verify the security of the VMM. For example, a misuse of a VMM hyper-call by a malicious guest OS can corrupt the whole VMM. The complexity of the VMM also makes it hard to formally verify the correctness of the system's behavior. In this paper a new VMM, operating system virtualization (OSV), is proposed. The multiprocessor boot interface and memory configuration interface are virtualized in OSV at boot time in the Linux kernel. After booting, only inter-processor interrupt operations are intercepted by OSV, which makes the interface between OSV and OS simple. The interface is verified using formal model checking, which ensures a malicious OS cannot attack OSV through the interface. Currently, OSV is implemented based on the AMD Opteron multi-core server architecture. Evaluation results show that Linux running on OSV has a similar performance to native Linux. OSV has a performance improvement of 4%-13% over Xen.

Xige ZHANG,ZHU Jiacheng,MA Jun,SHEN Lixiang,ZHOU Jiahui,MU Dejun,Jiacheng ZHU,Jun MA,Lixiang SHEN,Jiahui ZHOU,Dejun MU

DOI: https://doi.org/10.1051/jnwpu/20244210092

2024-02-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Large scale integrate circuits is facing serious threat such as design vulnerabilities, side channels, and hardware Trojans. Traditional functional verification method is difficult to ensure high test coverage, and it is also difficult to detect security vulnerabilities such as side channels and stealthy hardware Trojans. Formal verification methods focus on the equivalence and functional correctness of design, and are difficult to meet security and reliability verification needs. The present work proposes a hardware security and reliability verification method from formal model. The present method can develop formal models for describing the security and reliability behaviour of hardware designs. It can detect potential security vulnerabilities in hardware designs. Experimental results show that the verification method is effective in detecting sensitive information leakage and modification caused by side channels and hardware Trojans.

Denis Efremov,Ilya Shchepetkov

DOI: https://doi.org/10.48550/arXiv.2001.01442

2020-01-06

Software Engineering

Abstract:The Linux kernel is one of the most important Free/Libre Open Source Software (FLOSS) projects. It is installed on billions of devices all over the world, which process various sensitive, confidential or simply private data. It is crucial to establish and prove its security properties. This work-in-progress paper presents a method to verify the Linux kernel for conformance with an abstract security policy model written in the Event-B specification language. The method is based on system call tracing and aims at checking that the results of system call execution do not lead to accesses that violate security policy requirements. As a basis for it, we use an additional Event-B specification of the Linux system call interface that is formally proved to satisfy all the requirements of the security policy model. In order to perform the conformance checks we use it to reproduce intercepted system calls and verify accesses.

Yongwang Zhao

2015-01-01

Abstract:Separation kernel, a fundamental software of safety and security critical systems, provides to its hosted software applications high-assurance partitioning and information flow control properties. The application of separation kernel in critical domain demands the correctness of the kernel by formal verification. To our knowledge, there does not exist a survey paper on this topic. This paper give an overview to the topic of formal specification and verification of the separation kernel. We overview the concept of separation kernel and formal verification, survey the state of the art on the topic after the year 2000, and summarize these works by comparing them and discussing some issues.